PRIV- 32 – Record of PII User Access

What is this control about?

Implementing the control ‘Record of PII User Access’ is vital for ensuring the security and accountability of personal data within an organization. This control involves maintaining a comprehensive and detailed log of all instances where users access Personally Identifiable Information (PII) data. PII includes any information that can be used to identify an individual, such as names, addresses, Social Security numbers, or financial data.

Available tools in the marketplace

Tools:

ManageEngine NinjaOne AWS IAM

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – No template recommendation

Control implementation

Here are some guidelines to implement an effective records of PII User Access program:

• Identify PII Data: Begin by identifying all systems, databases, and applications that store Personally Identifiable Information (PII) within the organization. This includes data such as names, addresses, social security numbers, or any other information that can directly or indirectly identify an individual.
• Define Access Policies: Work with the organization’s data owners and stakeholders to define access policies for PII data. Determine who should have access to what type of PII and under what circumstances. This will help establish clear guidelines for controlling user access.
• Implement Identity and Access Management (IAM) Solution: Deploy an IAM solution that allows for centralized control of user access to systems and applications containing PII data. Ensure that the IAM system is capable of generating detailed logs of user access activities.
• Configure Audit Logging: Enable audit logging and tracking features on systems and applications that store PII data. This includes database management systems, file servers, and other relevant platforms. Configure the logging to capture user access attempts, successful accesses, and access denials.
• Regularly Review Access Logs: Schedule regular reviews of the access logs to identify any unauthorized or suspicious activities related to PII data. Conduct thorough investigations into any unusual access patterns or potential security breaches.
• Enforce Least Privilege Principle: Implement the principle of least privilege, where users are only granted the minimum level of access necessary to perform their job functions. This reduces the risk of unauthorized access to sensitive data.
• Educate Users and Employees: Conduct training sessions to educate employees about the importance of data privacy and the proper handling of PII. Emphasize the significance of adhering to access control policies.
• Periodic Access Reviews: Conduct periodic access reviews to ensure that user access permissions are up-to-date and aligned with business needs. Remove any unnecessary or outdated access privileges promptly.

   

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Access Control Policy: The organization’s access control policy should clearly define roles and responsibilities related to user access to PII data. It should outline the procedures for granting, modifying, and revoking access privileges, as well as the process for conducting access reviews.
• Identity and Access Management (IAM) Configuration: Documentation related to the IAM system should be examined, including configurations and settings that enforce user access controls. This may include user roles, permissions, group memberships, and password policies.

   

Evidence example

For the suggested action, an example is provided below:

• Access Control Policy

Use the User Access Control Policy available within your TrustOps program.

• Identity and Access Management (IAM) Configuration